Log In

Uber kicks off public bug bounty program

Offers rewards of up to US$10,000.

Uber has joined the likes of Google, Microsoft and Facebook to set up an official bug bounty program, inviting researchers to find and report vulnerabilties in the ride-sharing company's websites and mobile applications.

The program is run through San Franciso-based HackerOne, and pays out US$3000 for medium-severity issues such as reflected cross-scripting flaws, cross-site request forgery (XSS and CSRF respectively) flaws, access control and account validation bypasses, and similar vulnerabilties.

Bug hunters who find more significant problems - such as instances where sensitive customer and driver informaton could be leaked - will reap rewards of up to US$5000.

The bug bounty program follows a private beta trial that over 200 security researchers took part in, Uber said. That program discovered around 100 bugs which have now been fixed.

Several caveats are included in Uber's bug bounty program, which starts its first reward season May 1 United States time, and runs for 90 days.

Researchers will only be eligible for rewards once they've found four issues that Uber accepts are genuine bugs; if they find a further fifth vulnerability within the 90-day bug hunting season, Uber will pay out an additional bonus. This will amount to ten percent of the average payouts for all other issues discovered in the 90-day season.

High-quality vulnerability submissions will be publicly disclosed.

Uber has also set up a "treasure map" for researchers that outline the company's different online services, and with tips on how to find bugs.

The company's chief security and chief information security officers Joe Sullivan and John Flynn said the bug bounty program will help make Uber's code as secure as possible, and provide an incentive for its community to find subtle bugs.

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.